Why CIOs Can’t Believe All That They Read About Security Breeches

Just because you can't keep them out, does this mean that CIO's can ignore hackers?

If a CIO picks up the paper, it seems like hackers are everywhere and getting into every IT department. Dare I say these modern day cyber pirates seem almost unstoppable? If it turns out that there is no way to keep hackers from breaking into your company’s IT systems, then should a CIO really spend a lot of time and money trying to keep them out?

The Myth Of The Super Hacker

If you spend any time reading the newspapers, it can be easy to feel that every company out there is under assault. Teams of skilled hackers who go by names such as LulzSec and Anonymous seem to be in the news every other day as they take down or deface various high profile web sites. This type of assault has almost become part of the definition of information technology.

No matter what safeguards these firms seem to have had in place, still the hackers seem to be able to slip by them and have their way with the company’s IT systems. What’s a CIO to do?

The first thing that you need to do is to realize that you can’t lump all hackers together. Yes, there are some very skillful hackers out there who have the ability to cause a great deal of grief for any company in the IT sector that they decide to target. However, the good news is that the majority of hackers are not so skillful.

When you are reading the newspaper, you need to take a close look at what actually occurred as a result of a hacking exploit. Did a talented hacker break in and steal valuable customer data? Or, did the company just suffer a distributed denial of service attack (DDOS) – a much less skillful form of digital vandalism?

Not all hackers are created the same, and CIOs need to take steps to protect their company from the majority of hackers who are simply looking for an unguarded door that will allow them to break into your digital warehouse of customer data.

What CIOs Need To Do To Defend The Company

All of this discussion leads us back to the basic question: what should a CIO do? The very first thing that a CIO needs to do is to not give up hope. Don’t just assume that all criminal hackers are gods. The reality is that most are not. This means that you can’t afford to let your guard down because in most cases the basic steps that you take to secure the company will be good enough to keep most of the bad guys out.

This won’t keep the really bad, really skillful guys out. This is when your so-called second layer of defense needs to come into play. As a CIO you are going to have to assume that a skilled hacker who really wants to break into your company’s IT systems is going to be able to climb over the wall of defenses that you’ve put into place.

What a step like this means is that even if a hacker gets inside of your company’s IT systems, he or she won’t be able to easily get their hands on your valuable customer data. Additionally, rogue employees, a much greater threat than skilled hackers, will also be unable to walk off with your company’s crown jewels.

It’s the responsibility of the CIO to consider likely scenarios like this. Once you’ve identified something that could happen, you are then obligated to take all of the necessary steps that will be needed in order to protect the company against lawsuits, fines, investigations, and, of course, post-event clean up activities.

What All Of This Means For You

Welcome to the real world CIO – stuff happens here. Specifically, there are always going to be hackers out there who are looking for companies to break into. Your company could be next on their list.

If you take a look at all of the stories that are being reported in the press lately, it sure seems as though the hackers who are operating these days seem to be able to effortlessly slip into and out of any company that they choose. Nobody seems to be safe.

However, if you take a closer look, things become a bit clearer. Specifically, what you’ll discover is that there are actually two types of hacking going on: the simple distributed denial of service attacks and the more sophisticated break-ins. You may not be able to protect the company against an attack by skillful, educated hackers. However, you can take steps such as encrypting your data so that even if they do get in, the amount of damage that they can cause will be minimized.

CIOs can’t give up. The importance of information technology to your company is too great. Yes, the bad guys are going to win some of the battles. However, that doesn’t mean that the war is over. Instead, CIOs need to take steps to make sure that most hackers can’t get in and the ones that do can’t do much once they do get in. Make the effort now and you and your company will be safe later on.

P.S.: Free subscriptions to The Accidental Successful CIO Newsletter are now available. Learn what you need to know to do the job. Subscribe now: Click Here!

What We’ll Be Talking About Next Time

Among all of the other jobs that a modern CIO is expected to perform, there is also that pesky “pursue an innovation strategy” thing. This is so critical that it should almost be a part of the definition of information technology. It’s not that pushing the IT department to become more innovative is all that difficult, I mean anyone can do that. The hard part for a CIO is trying to pick and choose from all of the different ways to be innovative – which way is the best for your IT department?

Dennis: Very good reply! I agree with most of what you say. A blog post is, by its very nature, a simplification of a potentially complex topic. I think that we’re in agreement that a CIO needs to take the time to understand exactly what data needs to be secured — all data is not created the same. Where I think that we’re differing is in how a (new) CIO needs to tackle the whole issue of data security. I agree that a layered approach is a good course of action, but a CIO needs to take bold decisive steps right off the bat that will secure 80% of what’s important and then spend the rest of his / her time worrying about how to nail down the remaining 20%. That was the main point that I was trying to make. I think that we can both agree that data security will remain a constant CIO challenge — nothing ever remains the same!

Let me kindly suggest that your post could be better written had you actually spent some time reviewing and investigating the available data.

As it sits, I simply cannot recommend your opinions above as the contradict what information risk management actually does know about the nature, tactics, and relative sophistications of data breaches and incidents.

Alex: Huh? What data would you be referring to? T.J. Maxx did expose 45 million of their customer records were exposed to hackers via a POS hack. Is this what you are having problems with? Or do you feel that LulzSec and Anonymous really are spending their time going after every company?

Not sure what your issue is, but thanks for reading the article and taking the time to post a comment. Hope that your next post is more clear.